This invention relates generally to distributed processing, and more particularly to enabling a process distributed by a trusted source access to persistent local storage.
Distributed processing in a client-server environment permits a process running on a local, or client, computer to access data and/or execute a process on a remote, or server, computer, and permits the remote process access to local data. One challenge in distributed processing is making the interaction between the local process and the remote process transparent so that a user working on the local computer is unaware of the location of the processes and the data. The challenge becomes particularly acute when the local and remote machines are on a wide-area network, such as the World Wide Web, because the slowness of the underlying communication medium introduces delays in exchanging data on a real-time basis. Therefore, time-critical portions of the remote process and some of the remote data are typically temporarily downloaded for execution on the local computer. This approach is common in small, executable applications, called applets, which are downloaded from a Web server.
While downloading executable content provides web page designers more options for producing better content, it exposes the client machine and any resources accessible through the client machine to the outside world. For this reason, applets are normally run with a number of restrictions that limit the resources they may access. The restrictions placed on downloaded executable content are collectively referred to as a xe2x80x9csandbox.xe2x80x9d For example, two relevant restrictions on Java applets are that they may only establish network connections to the web server from which they were loaded, and they may not access the local file system.
However, downloaded applets may require a large amount of persistent storage on the local computer to store data to be accessed by another instance of the applet or another process. For example, a word processor may need to store a document created by the user on the local computer, or a real-time news feed may need to maintain configuration information about the video and audio capabilities of the local computer. Installed libraries may also need storage space separate from that provided to the applet using the library function.
One form of persistent local storage for a Web applet is the xe2x80x9ccookiexe2x80x9d which is stored in a cookie file on the local hard drive. The use of cookies for persistent storage is limited because access to a cookie is keyed to the remote host and is restricted to only a single cookie per host. In addition, there is no flexibility in the type of storage provided so the storage space is not configurable to the needs of the program using it.
Regardless of its desirability, permitting downloaded applets access to a local storage system introduces a myriad of security issues. The sandbox approach mentioned above provides security but lacks the persistence characteristic needed in many cases. Only applets from a known and trusted source should be allowed access to persistent local storage. One approach that depends on the trusted source concept is provided by xe2x80x9cpushxe2x80x9d technology.
When the client initiates the download process from the client side, the client is often said to be xe2x80x9cpullingxe2x80x9d the information from the server. In contrast, push technology enables a server to automatically send information, usually on a regular schedule, to a client computer that xe2x80x9csubscribesxe2x80x9d to a particular service offered by the server. The user essentially establishes the server as a trusted source when he/she subscribes. One common application for push technology is to deliver news headlines to a user every hour. Push technology can also be used to automatically deliver application code to the client computer when it becomes available, Castanet software from Marimba Inc., for example, permits a user to subscribe to a xe2x80x9cchannelxe2x80x9d that automatically downloads certain types of applications or software updates. Unlike news headlines which are transient and suitable for storage in a temporary manner, code pushed down from the server requires persistent storage space on the client. Therefore, Castanet defines a directory on the hard drive of the client for each subscribed channel. However, the push technology approach relies on the user subscribing to a channel as establishing the server as a trusted source; no additional checking on the identity of the source is performed. Furthermore, no size limitation is placed on the amount of data downloaded for each subscribed channel.
Because existing file system interfaces have neither the ability to grant access to persistent local storage areas based on the identity of the source of the applet, nor to control the amount of data written to the file system when such access is granted, there is a need for a mechanism to provide persistent local storage that is controlled in size to certain, identified applets. Furthermore, such a mechanism should be flexible in the type of persistent local storage provided.
Unshared local storage paces is provided by a client computer to a process executing on behalf of an identity. An identity for the process is determined and the client computer allocates the local storage space based on information specifying local capabilities for the identity. The space is secured with the identity so that only processes executing on behalf of a common identity can access the local storage space for the identity. The local capabilities are enforced by monitoring the use of the local storage space by all processes executing on behalf of the identity. The identity is uniquely defined by a digital certificate or similar security facility. The identity is associated with a data structure, such as a digital signature, that includes the size of the local storage space and, optionally, whether the process is subject to global storage limits set by the computer. The type of local storage controlled by the identity can be on any persistent media such as a hard disk, removable media, or non-volatile memory, without limitation.
Thus, the identity and its associated data structures permit an application acquired from a trusted source access to local storage which is secured, limited and flexible. Keying the local storage to the identity is superior to the standard applet sandboxing approach in that it provides persistent storage without sacrificing security. Furthermore, unlike push technology, the decision to trust a source can be made prior to the time the application is acquired from the source.